The Cliff Notes Version of the GDPR and How It Can Affect You

Europe is big into protecting the privacy of users who enter their information online (like filling out a form for an appointment, a credit card application, or even signing up for a newsletter). They continually make the laws stronger to protect their citizens from digital evilness (like selling your information without your consent)– much more so than the US.

That’s why they created the General Data Protection Regulation of the European Union(GDPR). And on May 25, 2018, they are going to start enforcing even stricter requirements.

It can basically be boiled down to applying the Golden Rule to your privacy policy.

“Digitally Do Unto Others As You Would Have Them Digitally Do Unto You”

So what does this mean for you?

If you never are going to reach out to anyone in the European Union, you don’t HAVE to do anything for now. The reason we say for now is that the US may decide to bring up our standards to Europe’s and then you will need to make sure your collection of user data, storage of that data, and your privacy policy be kosher. That being said, the rules are good (see below) and while you don’t have to follow them, we recommend incorporating the spirit of the law into your digital policy.

If you do collect user data from anyone in the European Union, you will probably need to make some changes. Here is the top level gist of what you need to do. (we will have links to the nitty gritty legal stuff at the end)

Only collect the data from users that is truly required to process their request and clearly explain why it is needed. So asking for an email for a free newsletter is fine. Asking for their race, religion, and credit card information is not.

Be uber clear that you are collecting their data. It must be “freely given, specific, informed and unambiguous.” And by unambiguous– the user must clearly state they want to opt-in. So, no opt-out as a default.

Do not sell any user information to anyone else.

Medical information has extra strict rules, however, this is already covered in the US by HIPAA

There are special guidelines when reaching out to people 16 years or younger.

There are really special guidelines when reaching out to those 13 or younger (short version– don’t do it. Reach out to parents.)

Be clear on how long you will retain their information and why.

Delete all information once it is not needed anymore.

If there’s a breach in your security, everyone needs to be notified. No hiding it like when Yahoo was hacked– TWICE– and the hacker got access to all the users’ information.

Make this all crystal clear on your privacy policy. It needs to be easy to read and understand. (something woefully lacking in the US)

European Policy is Good Policy to Follow

Although not required by US law (yet), the above guidelines are good practice for everyone to follow. And it appears that you are following the spirit of the law.

And Verisafe (we have no connection to this company) does a nice job of providing a check list and is much more digestible and clear than the GDPR’s version.

Got more questions? We can’t explain much more than the above, however, you’re welcome to ask. If you do intend on reaching out to anyone in the EU, we do recommend you discuss this with a lawyer with experience on this topic.